cbcvebase.
CVE-2024-49035
published 2024-11-26

CVE-2024-49035: An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-18
Exploited in the wild
EPSS
1.34%
67.8th percentile
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_partner_center
msrcmicrosoft_partner_center

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability targets Partner.Microsoft.com (Microsoft Partner Center) via improper access control, allowing unauthenticated privilege escalation over a network. Monitor for anomalous unauthenticated access attempts or unexpected privilege escalation events originating from or targeting partner.microsoft.com.
  • This vulnerability is confirmed actively exploited in the wild (Exploitation Detected). Prioritize monitoring and response for any activity related to Microsoft Partner Center access control bypass.
  • The fix is server-side only (Microsoft Power Apps online / Partner Center cloud service); no client-side patch is required. Detection should focus on network-level anomalies and audit logs for unauthorized privilege escalation in Partner Center.
  • ·No customer-side patch or configuration change is required; the fix is automatically deployed server-side by Microsoft to the Partner Center / Power Apps online service.
  • ·CISA BOD 22-01 guidance for cloud services applies; if mitigations are unavailable, discontinue use of the product.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.7HIGH
cisa9.8CRITICAL
vendor_msrc8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.